Why Gawker's Security Breach Is So Bad

A group of hackers has infiltrated Nick Denton's Gawker Media empire in
what some are calling the most damaging cyber security breach of a media
company to date. The usernames, emails and passwords of up to 1.3
million registered users were published to the web over the weekend. The blogs under the Gawker Media umbrella include Gizmodo,
Deadspin, Kotaku, Jezebel, i09, Jalopnik, Lifehacker and Fleshbot. A
group named "Gnosis" is taking responsibility for attack, telling Mediaite: "We went after Gawker because of their outright arrogance." Many suspect this in reference to the cyber attacks waged against Gawker in July, in which Gawker taunted hackers at 4Chan.org and flaunted its ability to withstand DDOS attacks.

The
hacker group also sent a message to Gawker:

Your empire has
been compromised, Your servers, Your database's, Online accounts and source code have all be ripped to shreds! You wanted attention, well guess what, You've got it now!

In a post published yesterday to readers, the Gawker staff wrote:
"We're deeply embarrassed by this breach. We should not be in the
position of relying on the goodwill of the hackers who identified the
weakness in our systems." Here's what other bloggers are saying about
the attack and why it's so devastating for Gawker:

People Must Change Their Passwords Immediately, writes Melissa Bell at The Washington Post:

All
registered users of the sites need to change their passwords, as the
hackers leaked the user name and passwords Sunday. If people use the
same user name and password combination for other sites, including
online banking sites, it could severely compromise their Internet
security. To illustrate that danger, Urlesque editor Nick Douglas broke
into Nick Denton's Flickr account and added a friendly reminder that
Denton, the CEO of Gawker Media, should change his password.

The
passwords are the least damaging thing here... Gawker’s commenters were
operating under the understanding that they were anonymous; now, at
least 188,000 of them, and probably more in coming days, can be
associated with an email address ... Many [of those e-mail addresses] can
easily be traced to an individual. I can imagine more than a few
commenters on Gawker and Wonkette and Fleshbot who would be mortified or
possibly even fired if their identities became public. And already a
list of .gov email/password combinations is being passed around to see whether those same passwords will unlock state secrets elsewhere

This Is Bad for Gawker's Business, writes Business Insider. The biggest part might be "might be the leaking of
Gawker's source code. (Source code is the computer code used to write
programs.)" Why?

A big part of Gawker's success that doesn't often get
mentioned is its powerful content management system (CMS), the type of
software that media sites like Gawker (and Business Insider) use to
publish articles. Gawker's CMS is reportedly state of the art, and the
product of many iterations and learnings. With an advanced CMS, a media
site can tell which articles are taking off and highlight them to
viewers, maximizing pageviews and traffic to the site, which means more
engaged viewers and higher ad revenue... With that source code leaked,
unscrupulous competitors can copy many of Gawker's techniques. Its CMS
is a big part of its "secret sauce."

Gawker Shouldn't Have Egged on Hackers "Claiming
publicly that something is unhackable is usually a good way to find out
that it is," writes Daniel Kennedy at Forbes. "Making unnecessary statements of bravado, statements
potentially divorced from reality, changes the equation for an attacker,
it suddenly makes compromising your environment worth more of his or
her time. Put another way, thumbing your nose at an entire world's
population of crackers is usually a lousy idea."

Gawker Responded Terribly, writes Business Insider. "When they became
aware of the breach they didn't tell anyone until other media outlets
had reported on it, even though it meant more time for hackers to
compromise accounts of unsuspecting commenters." In addition, "they haven't emailed all
commenters whose accounts have been compromised to tell them to change
their passwords, letting unrelated startup Hint do it. And even though
they've technically apologized for the whole thing, the apology doesn't
sound very, well, apologetic."

When
you put the Gawker hack in context of recent events--notably the
targeting of sites like Visa, Mastercard and PayPal over the Wikileaks
flap--the picture gets ugly in a hurry... If a site--media, government,
e-commerce or otherwise--is on the end of a cause you disagree with a
denial-of-service attack (or any other attack) cannot be ruled out. At
this rate, every site is going to be attacked. Gawker serves as a
cautionary tale to button up your security procedures pronto. This
hack-to-make-a-point approach is likely to pick up steam.

Everyone has someone on their holiday shopping list who’s impossible to buy for. For the second year in a row, we asked Atlantic readers to describe their someone, and brainstormed a few perfect gift ideas for them.